Adoptable Cookbooks List

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

iptables-ng Cookbook

This cookbook maintains and installs iptables and ip6tables rules, trying to keep as close to the way the used distribution maintains their rules.

Contrary to other iptables cookbooks, this cookbook installs iptables and maintains rules using the distributions default configuration files and services (for Debian and Ubuntu, iptables-persistent is used). If the distribution has no service for iptables, it falls back to iptables-restore.

It provides LWRPs as well as recipes which can handle iptables rules set in the nodes attributes.

It uses the directory /etc/iptables.d to store and maintain its rules. I'm trying to be as compatible as much as possible to all distributions out there.

Requirements

The following distribution are best supported, but as this recipe falls back to a generic iptables restore script in case the system is unknown, it should work with every linux distribution supporting iptables.

Ubuntu 10.04, 12.04, 14.04, 14.10

Debian 7 (6 should work, too)

RHEL 5.9, 6.x, 7.x

Gentoo

Archlinux

No external dependencies. Just add this line to your metadata.rb and you're good to go!

depends 'iptables-ng'

Attributes

General configuration (services, paths)

While iptables-ng tries to automatically determine the correct settings and defaults for your distribution, it might be necessary to adapt them in certain cases. You can configure the behaviour of iptables-ng using the following attributes:

# The ip versions to manage iptables for
node['iptables-ng']['enabled_ip_versions'] = [4, 6]
# Which tables to manage:
# When using a containered setup (OpenVZ, Docker, LXC) it might might be
# necessary to remove the "nat" and "raw" tables.
node['iptables-ng']['enabled_tables'] = %w(nat filter mangle raw)
# An array of packages to install.
# This should install iptables and ip6tables,
# as well as a system service that takes care of reloading the rules
# On Debian and Ubuntu, iptables-persistent is used by default.
node['iptables-ng']['packages'] = %w(iptables)
# The name of the service that will be used to restart iptables
# By default, the system service of your distribution is used, so don't worry about it unless you
# have special requirements. If iptables-ng can't figure out the default service to use or these
# attributes are set to nil, iptables-ng will fall back to "iptables-restore"
node['iptables-ng']['service_ipv4'] = 'iptables-persistent'
node['iptables-ng']['service_ipv6'] = 'iptables-persistent'
# The location were the iptables-restore script will be written to
node['iptables-ng']['script_ipv4'] = '/etc/iptables/rules.v4'
node['iptables-ng']['script_ipv6'] = '/etc/iptables/rules.v6'

Rule configuration

The use of the LWRPs is recommended, but iptables-ng can be configured using attributes only.

Auto-pruning

In Chef, it is generally accepted that removing node attributes does not result in their corresponding resources being proactively scrubbed from the system. However, this could be seen as irritating or even a security risk when dealing with firewall attribute rules in this cookbook. To automatically prune rules for attributes that have been removed, set the following attribute to true. This will not affect rules defined with the LWRP.

node['iptables-ng']['auto_prune_attribute_rules'] = true

Recipes

default

The default recipe calls the install recipe, and then configures all rules and policies given in the nodes attribute.

Example:

To allow only SSH for incoming connections, add this to your node configuration

Known issues

There are some issues with systemd support on Fedora systems. Also it might be required to install iptables-service on newer Fedora machines.
Due to this issues, the tests for Fedora were removed until they are resolved.
Furthermore, due to the lack of Opscode kitchen boxes, there are not tests for Archlinux.

Contributing

You fixed a bug, or added a new feature? Yippie!

Fork the repository on Github

Create a named feature branch (like add_component_x)

Write you change

Write tests for your change (if applicable)

Run the tests, ensuring they all pass

Submit a Pull Request using Github

Contributions of any sort are very welcome!

License and Authors

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.